Data Plunderers Run Off With Zappos Customer Info

Thieves have made off with personally identifying data on 24 million customers of online shoe and apparel retailer Zappos.

Announcing the hack on Sunday, Zappos CEO Tony Hsieh said that the thieves broke into the company's system through one of its servers in Kentucky.

Although customers' personal data was stolen, the secure database that stores their credit card and other payment data remained untouched, Hsieh said.

Zappos is emailing its customers and has contacted in the FBI.

The company has also expired and reset all user passwords, and it will help customers create new ones.

However, the real pain for Zappos may lie ahead, as thieves exploit the stolen data. Further, Zappos' parent company, Amazon.com, may find itself vulnerable as a result of the theft.

"Beyond the information found in CEO Tony Hsieh's letter to employees [on the company blog], there is no additional information to add and we are not doing interviews at this time," Zappos spokesperson Diane Coffey told the E-Commerce Times.

Amazon.com did not respond to requests for comment for this story.

What Happened at Zappos

The hackers made off with the names, addresses, email addresses, phone numbers and partial credit card numbers of 24 million Zappos customers, as well as their cryptographically scrambled passwords.

In addition to expiring and resetting customers' passwords, Zappos has created a link that will let each customer securely create a new password.

Zappos is also urging customers to change their passwords on any other websites where they use the stolen password or similar ones, and it has warned them to be wary of emails and phone calls that ask for personal information or direct them to websites asking for personal information.

Possible Fallout From the Zappos Hack

"Imagine millions of customers receiving a phishing email with their billing address, phone number and the last four digits of their credit card number," Roiter told the E-Commerce Times. "Only a small percentage have to take the bait to make for a very effective and profitable phishing campaign."

Zappos has "done exactly the right thing by expiring all the user passwords so the attackers won't be able to log in to [its site] with those credentials, but the larger problem is that most people reuse passwords all over the Internet," David Holmes, senior technical marketing manager for F5 Networks, told the E-Commerce Times.

For example, the attackers could match users and their passwords to other sites with financial assets, such as online banking sites, Holmes suggested.

Zapping Amazon, Too?

Amazon.com, which purchased Zappos in 2009 for a stock swap and cash, might find itself in hot water over the Zappos breach.

Amazon has taken a relatively hands-off approach to Zappos, letting Hsieh and his staff run the company the way they want to.

However, "if folks are using the same password for Amazon as they were for Zappos, they are now breached on both services, and if it were determined Zappos didn't provide notification to customers to stop using the compromised password on any service, a competent litigation team might be able to effectively hold the parent accountable," Rob Enderle, principal analyst at the Enderle Group, told the E-Commerce Times.

Safety Is an Illusion

Zappos said the stolen passwords were encrypted, which could be taken to indicate that they don't pose a real threat.

However, "the Zappos passwords were hashed ... and depending on the hashing function used, an attacker can discover the password using an approach called a 'rainbow table,'" Geoff Webb, product marketing director at Credant Technologies, told the E-Commerce Times.

A rainbow table is a pre-computed table for reversing cryptographic hash functions. It's usually employed to crack password hashes.